Covert Competitive Intelligence

Yet another agreement on alleged covert competitive intelligence, this time, "WestJet Airlines says it’s sorry that members of its management team covertly accessed a confidential Air Canada website, and has agreed pay $15.5 million. In a joint news release from the two carriers, WestJet said that in 2003-2004, members of their management team "engaged in an extensive practice of covertly accessing a password protected proprietary employee website maintained by Air Canada to download detailed and commercially sensitive information without authorization or consent from Air Canada."

It's worth noting that Air Canada was actually aware of the security event, knew when it happened, and managed to trace it back to their competitors. Today's competitive intelligence does include unethical information gathering whether in-house, or "outsourced" practices, as DDoS for hire still make the headlines, compared to the many other still undetected insider leakages years ago. It's also impressive how Dumpster diving still remains a serious threat -- so make sure you shred your secrets! Continue reading →

Anonymity or Privacy on the Internet?

Last week, Bruce Schneier wrote a great comment on Anonymity, how it won’t kill the Internet, and that it has to do with accountability mostly.

Logically, if identification is impossible, then there cannot be adequate accountability. Though, alternative methods based on the collective trust exist, and are as anonymous, as necessary. Spoofed identities, perhaps even hijacked ones should also be taken into consideration. But how important is Anonymity today? What is Anonymity and Privacy anyway? When is the first desired to preserve the second? How blur is the line in between? I think Anonymity is so much broader than it is originally perceived.

I’ve once mentioned the possibilities of IP cloaking for competitive intelligence/disinformation. On the other hand, for me today’s concept of anonymity has three dimensions :

- The individuals trying to achieve anonymity with the idea to express their right of free speech, and access censored information

 

A chinese citizen is the first thing that comes to my mind, though many others are having the same problems when trying to access information or express their right of free speech, such as Saudi Arabia, United Arab Emirates, Bahrain, Iran, Singapore, Burma, and Tunisia.

- Those trying to avoid accountability for certain actions, in one way or another
Anonymous-p2p.org has for instance featured a list of P2P applications that improve anonymity to a certain extend. In this case, anonymity is desired in order to cover up certain actions. The use of proxy servers to try to hide originating host should also be mentioned as a possibility.

- Those with an established pseudo-anonymity, netizens for instance

I think pseudo-anonymity is important in today’s society, it’s utopian worlds(online gaming worlds etc.), express freedom and promote creativity to a certain extend. The entire trust and accountability model is actually entrusted on the service, for instance, Ebay as mentioned in the original article. You trust that Ebay’s practices going beyond this pseudo-anonymity would achieve accountability in case it’s necessary.

What others think on privacy, and why is anonymity hard?

“There’s no Privacy, get over it” Sun's CEO Scott McNealy, back in 1999

John Young, Cryptome.org on privacy, data aggregation, data mining, terrorism fears and our constantly digitized lifes :

“Privacy should be a right of citizens worldwide, in particular the right to keep government and business from gaining access to private information and personal data. The argument that government needs to violate privacy in order to assure security is a lie. The business of gathering private information by corporations and then selling that to government and other businesses is a great threat to civil liberties. Much of this technology was developed for intelligence and military uses but has since been expanded to include civil society. ”

Dan Farmer and Charles C.Mann – Surveillance Nation

“Low-priced surveillance technologies will help millions of consumers protect their property, plan their commutes, and monitor their families. But as these informal intelligence-gathering networks overlap and invade our privacy, that very could evaporate.”

Does Privacy still exist in the 21st century? Is Anonymity an excuse for Privacy? What do you think?

Further resources on privacy and anonymity can also be found at :

Real World Patterns of Failure in Anonymity Systems
Better Anonymous Communications
Introduction to P3P
HOWTO bypass Internet Censorship
Formalizing Anonymity - A Review
Anonymity made easy
Anonymity and Pseudonymity in Cyberspace :Deindividuation, Incivility and Lawlessness Versus Freedom and Privacy

Technorati tags :
privacy,anonymity,censorship,free speech,digital rights

Continue reading →

IP cloaking and competitive intelligence/disinformation

SearchSecurity.com are running a great article entitled "IP cloaking becoming a business necessity", that I simply can't resist to express my opinion on.

Great concept that’s been around since the days of Anonymizer, who were perhaps the first enterprise to start targeting enterprise and government
users looking for ways to hide their online activities, be it unstructured data aggregation, competitive intelligence or simple end users' browsing.

Getting back to SearchSecurity's article, I don’t really consider a company’s SEC fillings or annual reports (found on any corporate web site) a trade secret! In this particular case, I bet it was extraoridinary traffic from known partners that tipped them that there's a sudden interest in the company's business performance. Any organization could easily look for patters on its web server, such as how often certain stakeholders visit it, given they use their associated netblocks, or ones known to be used by them. What to also to note is that, given the stakeholders in this case, employees, stockholders, suppliers, government, the general public or anyone else has a claim on the way the organization operates, it would be hard, pretty much impossible to differentiate intentions of any of these.

Small companies can easily measure their popularity among the big players, again, given these companies use their netblocks, but a large corporation with hundreds of thousands visitors, would have to put extra efforts in measuring, not only what's popular, but who's reading it, and are they on our watchlist.

How to compile these? Even though I'm certain someone out there has taken the time and effort to compile a Fortune 500 IP ranges list the way GovernmentSecurity.org have compiled a Government&Military; IP ranges list. I soon expect to see companies offering segmented service for watchlists like the ones I mentioned, for instance - law firms, financial institutions, non-profit organizations segmented on geographical location, let's say New York or Tokyo based ones. An in-house approach can always be applied by any company, no matter of its size, all you have to do is your homework at RIPE.net for instance :

RSA Security
Symantec
Sophos
Kaspersky
ISS(Internet Security Systems)

An important trend though, is how the transparency that the ICANN wants to build whenever a domain is registered in order to easily prosecure cyber criminals will open up countless opportunities for open source intelligence professionals or wannabe's. A recently released report by the U.S Government Accountability Office, found 2.3M domain names registered with false data, given that's just the result they came up by sampling. Here're also the important findings. Without any doubt, it should be known who's who in the Internet's domain and IP blocks space, but knowing it and complying with this due to regulations, or good will is going to lead to further consequences for your organization.

Let's take anti-virus vendors for instance. I often say that anti virus is a necessary evil - given it's active!! Signatures based defense is futile, windows of opportunities emerge faster, 0day threats contribute, and overall, malware is starting to attack on a segmented based level => less major outbreaks, but the rates of signature updates is still a benchmark the public and some of the vendors like talking about. Email-Worm.Win32.Doombot.b for instance, is a good example of how the malware author is rendering the antivirus software into a useless application, just by blocking it from accessing its(publicly available, easy to find out through sniffin' etc.) update locations.

Even though the author wish he/she could "write" to these locations, that's not necessary, but the temporary advantage of exposing the user/organization to a particular window of opportunity, by making sure access to removal instructions and actual updates is disabled! Doombot's list is short, and a bit of a common sense one compared to others. And as always, the general public, sick of ads, and parasites, have taken the effort to constantly release updated hosts files to tackle their concerns. I wonder when, and how are vendors going to address this important from my point of view issue?

IP cloaking at the corporate level is still in its early stages, but represents a growing market due the following factors, among many others of course :

- governments and intelligence agencies are actively taking advantage of open source intelligence, OSINT, and vendors are already starting to offer relevant services. The Anonymizer among others, has also specially government/enterprise tailored services

- enterprises are getting extremely conscious about what others know of their surfing interests, and what are stakeholders on their watchlist looking at, on any of their extranets or corporate web sites

- citizens from countries with extremely restrictive Internet censorship practices will fuel the market's growth even more

Further reading can be found at :
Protecting Corporations from Internet Counter-Intelligence
Cloaking types

Technorati tags :
competitive intelligence,anonymity,ip cloaking,OSINT

Continue reading →